Just nu i M3-nätverket
Jump to content

Går ej att radera infekterad fil


Bubblan

Recommended Posts

Hej!

Jag har fått något virus på min dator, har läst mig till ganska mycket hjälp på vägen, men nu har jag kört fast. Det var så att genom något jag laddade ner (antar jag) installerades Paladin Antivirus på datorn och det började ploppa upp massa virusvarningar hela tiden och det kom en massa suspekta saker på skrivbordet. Jag har använt malwarebytes programmet för att få bort massa saker och det har gått bra förutom att det är en jäkla fil som inte försvinner. I loggen står det

 

Infekterade filer:

C:\Windows\System32\drivers\tmpxisl.sys (Rootkit.Agent) -> Delete on reboot.

 

Men den gör inte det. Det verkar egentligen inte vara något fel på datorn just nu för allt fungerar som det ska men det känns ju högst olämpligt att ha kvar det där, och jag kan verkligen inte särskilt mycket om datorer så jag skulle verkligen uppskatta lite hjälp!

 

Tack på förhand!

Link to comment
Share on other sites

 

DDS (Ver_09-12-01.01) - NTFSx86

Run by Bodil at 9:43:42,48 on 2010-03-01

Internet Explorer: 8.0.6001.18882

Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.46.1053.18.2814.1496 [GMT 1:00]

 

AV: Paladin Antivirus *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

 

============== Running Processes ===============

 

C:\Windows\system32\wininit.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Windows\system32\lsm.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\rundll32.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\WLANExt.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Option\Telenor Mobilt Bredband\GtDetectSc.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\SMINST\BLService.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe

C:\Windows\system32\taskeng.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\HP\QuickPlay\QPService.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\AVG\AVG9\avgtray.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Option\Telenor Mobilt Bredband\Telenor Mobilt Bredband.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\conime.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\AVG\AVG9\avgupd.exe

C:\Users\Bodil\Desktop\dds.scr

C:\Windows\system32\wbem\wmiprvse.exe

 

============== Pseudo HJT Report ===============

 

uStart Page = www.facebook.com/

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=sv_se&c=91&bd=Presario&pf=cnnb

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=sv_se&c=91&bd=Presario&pf=cnnb

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=sv_se&c=91&bd=Presario&pf=cnnb

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.8.0.41\IPSBHO.DLL

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: AOL Toolbar BHO: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll

BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.8.0.41\coIEPlg.dll

TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"

mRun: [updateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"

mRun: [updatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"

mRun: [uCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\2.0"

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start

mRun: [updateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"

mRun: [updatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"

mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [RegistryQuick.exe] c:\program files\registryquick\RegistryQuick.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\teleno~1.lnk - c:\program files\option\telenor mobilt bredband\Telenor Mobilt Bredband.exe

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: &AOL Verktygsfalt Sök - c:\programdata\aol\ietoolbar\resources\sv-se\local\search.html

IE: E&xportera till Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {879B2534-D838-4D5C-9884-00B543C3FEAF} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: {DA5FD7D2-6805-4A02-8F9F-CD462A842A25} = 193.11.230.41,83.140.87.2

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.8.0.41\CoIEPlg.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

AppInit_DLLs: avgrsstx.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

 

============= SERVICES / DRIVERS ===============

 

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1008000.029\SymEFA.sys [2010-2-3 310320]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-26 333192]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-26 28424]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-26 360584]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1008000.029\BHDrvx86.sys [2010-2-3 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1008000.029\cchpx86.sys [2010-2-3 482432]

R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091111.001\IDSvix86.sys [2009-11-13 343088]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-26 285392]

R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504]

R2 GtDetectSc;GtDetectSc;c:\program files\option\telenor mobilt bredband\GtDetectSc.exe [2007-12-18 196704]

R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.8.0.41\ccSvcHst.exe [2010-2-3 117640]

R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-11-8 365952]

R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-11-8 193840]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-16 102448]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-9 43040]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

S2 gupdate;Tjänsten Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]

S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2008-2-18 106624]

S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2008-2-8 59648]

 

=============== Created Last 30 ================

 

2010-02-28 21:13:50 54016 ----a-w- c:\windows\system32\drivers\mflaasd.sys

2010-02-26 16:36:02 0 d-----r- c:\users\bodil\Antivirus stuff

2010-02-26 10:14:53 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-02-26 10:14:51 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-02-26 10:14:45 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-02-26 10:14:44 0 d-----w- c:\windows\system32\drivers\Avg

2010-02-26 10:14:42 0 d-----w- c:\programdata\AVG Security Toolbar

2010-02-26 02:24:37 0 d-----w- c:\programdata\SUPERAntiSpyware.com

2010-02-26 02:23:51 0 d-----w- c:\program files\SUPERAntiSpyware

2010-02-26 02:23:50 0 d-----w- c:\users\bodil\appdata\roaming\SUPERAntiSpyware.com

2010-02-26 02:21:15 0 d-----w- c:\program files\common files\Wise Installation Wizard

2010-02-26 01:55:35 0 d-----w- c:\program files\Enigma Software Group

2010-02-25 23:12:40 0 d-----w- c:\users\bodil\appdata\roaming\Malwarebytes

2010-02-25 23:12:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-25 23:12:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-25 23:12:29 0 d-----w- c:\programdata\Malwarebytes

2010-02-25 23:12:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-25 23:11:26 0 d-----w- c:\users\bodil\appdata\roaming\Paladin Antivirus

2010-02-25 22:24:40 3144 ----a-w- c:\programdata\fiosejgfse.dll

2010-02-25 22:18:59 791552 ----a-w- c:\windows\system32\drivers\tmpxisl.sys

2010-02-25 22:14:19 0 d-----w- c:\programdata\FLEXnet

2010-02-25 22:05:55 0 d-----w- c:\programdata\WindowsSearch

2010-02-25 21:58:13 0 d-----w- c:\program files\common files\Macrovision Shared

2010-02-25 20:29:28 0 d-----w- c:\windows\SHELLNEW

2010-02-25 20:11:52 0 d-----w- c:\users\bodil\appdata\roaming\GetRightToGo

2010-02-25 18:02:26 0 d-----w- c:\users\bodil\appdata\roaming\DC++

2010-02-25 17:37:47 0 d-----w- c:\program files\f3setupinstall

2010-02-25 17:37:23 0 d-----w- C:\sysmon

2010-02-24 13:29:30 0 ----a-w- c:\users\bodil\appdata\roaming\wklnhst.dat

2010-02-24 12:04:17 2048 ----a-w- c:\windows\system32\tzres.dll

2010-02-24 12:03:55 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe

2010-02-24 12:03:55 511488 ----a-w- c:\windows\system32\RMActivate.exe

2010-02-24 12:03:55 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe

2010-02-24 12:03:54 472576 ----a-w- c:\windows\system32\secproc_isv.dll

2010-02-24 12:03:54 472064 ----a-w- c:\windows\system32\secproc.dll

2010-02-24 12:03:54 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe

2010-02-24 12:03:54 329216 ----a-w- c:\windows\system32\msdrm.dll

2010-02-24 12:03:54 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll

2010-02-24 12:03:54 151040 ----a-w- c:\windows\system32\secproc_ssp.dll

2010-02-10 19:41:13 98304 ----a-w- c:\windows\system32\drivers\srvnet.sys

2010-02-10 19:41:13 301568 ----a-w- c:\windows\system32\drivers\srv.sys

2010-02-10 19:41:09 897624 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-02-10 19:41:04 3600472 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-10 19:41:04 3548760 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-10 19:40:57 91136 ----a-w- c:\windows\system32\avifil32.dll

2010-02-10 19:40:57 82944 ----a-w- c:\windows\system32\mciavi32.dll

2010-02-10 19:40:57 65024 ----a-w- c:\windows\system32\avicap32.dll

2010-02-10 19:40:57 50176 ----a-w- c:\windows\system32\iyuv_32.dll

2010-02-10 19:40:57 31744 ----a-w- c:\windows\system32\msvidc32.dll

2010-02-10 19:40:57 22528 ----a-w- c:\windows\system32\msyuv.dll

2010-02-10 19:40:57 13312 ----a-w- c:\windows\system32\msrle32.dll

2010-02-10 19:40:57 1314816 ----a-w- c:\windows\system32\quartz.dll

2010-02-10 19:40:57 123904 ----a-w- c:\windows\system32\msvfw32.dll

2010-02-10 19:40:57 11776 ----a-w- c:\windows\system32\tsbyuv.dll

2010-02-10 19:40:53 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2010-02-10 19:40:53 105472 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-01-31 14:24:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf

 

==================== Find3M ====================

 

2010-02-24 08:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-15 14:14:34 85114 ----a-w- c:\windows\system32\perfc00B.dat

2010-02-15 14:14:34 81602 ----a-w- c:\windows\system32\perfc006.dat

2010-02-15 14:14:34 76390 ----a-w- c:\windows\system32\perfc014.dat

2010-02-15 14:14:34 597836 ----a-w- c:\windows\system32\perfh01D.dat

2010-02-15 14:14:34 459536 ----a-w- c:\windows\system32\perfh006.dat

2010-02-15 14:14:34 443832 ----a-w- c:\windows\system32\perfh014.dat

2010-02-15 14:14:34 431812 ----a-w- c:\windows\system32\perfh00B.dat

2010-02-15 14:14:34 117416 ----a-w- c:\windows\system32\perfc01D.dat

2010-02-11 08:43:21 27839 ----a-w- c:\programdata\nvModes.dat

2010-01-31 14:40:33 51200 ----a-w- c:\windows\inf\infpub.dat

2010-01-31 14:40:32 86016 ----a-w- c:\windows\inf\infstor.dat

2010-01-31 14:40:32 143360 ----a-w- c:\windows\inf\infstrng.dat

2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll

2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll

2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll

2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2008-11-08 05:56:30 665600 ----a-w- c:\windows\inf\drvindex.dat

2008-11-08 05:23:13 35978 ----a-w- c:\windows\inf\perflib\041d\perfd.dat

2008-11-08 05:23:13 35978 ----a-w- c:\windows\inf\perflib\041d\perfc.dat

2008-11-08 05:23:13 290490 ----a-w- c:\windows\inf\perflib\041d\perfi.dat

2008-11-08 05:23:13 290490 ----a-w- c:\windows\inf\perflib\041d\perfh.dat

2008-11-08 05:17:01 35166 ----a-w- c:\windows\inf\perflib\0414\perfd.dat

2008-11-08 05:17:01 35166 ----a-w- c:\windows\inf\perflib\0414\perfc.dat

2008-11-08 05:17:01 294254 ----a-w- c:\windows\inf\perflib\0414\perfi.dat

2008-11-08 05:17:01 294254 ----a-w- c:\windows\inf\perflib\0414\perfh.dat

2008-11-08 05:11:05 36790 ----a-w- c:\windows\inf\perflib\040b\perfd.dat

2008-11-08 05:11:05 36790 ----a-w- c:\windows\inf\perflib\040b\perfc.dat

2008-11-08 05:11:05 274158 ----a-w- c:\windows\inf\perflib\040b\perfi.dat

2008-11-08 05:11:05 274158 ----a-w- c:\windows\inf\perflib\040b\perfh.dat

2008-11-08 05:05:24 36364 ----a-w- c:\windows\inf\perflib\0406\perfd.dat

2008-11-08 05:05:24 36364 ----a-w- c:\windows\inf\perflib\0406\perfc.dat

2008-11-08 05:05:24 300302 ----a-w- c:\windows\inf\perflib\0406\perfi.dat

2008-11-08 05:05:24 300302 ----a-w- c:\windows\inf\perflib\0406\perfh.dat

2008-01-21 02:57:01 174 --sha-w- c:\program files\desktop.ini

2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2008-11-08 05:56:29 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

 

============= FINISH: 9:48:21,05 ===============

 

 

 

 

Hmm, det här var ju det enda som kom upp efter att programmet hade körts... Attach.txt, var hittar jag den?

 

 

 

Link to comment
Share on other sites

Attach.txt bör finnas på Skrivbordet.

 

Är det AVG eller Norton du ska använda i datorn?

 

Klistra in den logg som MBAM skapade vid första körningen efter infektionen.

Link to comment
Share on other sites

Den finns inte där... konstigt... AVG ska jag använda.

 

Det här är den första loggen efter infektionen, men nu kommer det alltså bara upp att det är den där ende infekterade filen kvar. eller ja, igår kväll i alla fall. Nu ska mitt internet stängas av om ett par minuter pga detta, vet inte riktigt hur jag ska lösa detta så snabbt :(

 

 

Malwarebytes' Anti-Malware 1.44

Databasversion: 3793

Windows 6.0.6001 Service Pack 1

Internet Explorer 8.0.6001.18882

 

2010-02-26 01:35:25

mbam-log-2010-02-26 (01-35-25).txt

 

Skanningstyp: Snabb skanning

Antal skannade objekt: 106882

Förfluten tid: 7 minute(s), 6 second(s)

 

Infekterade minnesprocesser: 1

Infekterade minnesmoduler: 1

Infekterade registernycklar: 31

Infekterade registervärden: 3

Infekterade registerdataposter: 0

Infekterade mappar: 11

Infekterade filer: 32

 

Infekterade minnesprocesser:

C:\Users\Bodil\AppData\Local\Temp\eventcreatexp.exe (Trojan.FakeAlert) -> Unloaded process successfully.

 

Infekterade minnesmoduler:

C:\Users\Bodil\AppData\Roaming\Paladin Antivirus\phook.dll (Malware.Packer.Gen) -> Delete on reboot.

 

Infekterade registernycklar:

HKEY_CLASSES_ROOT\funwebproductsinstaller.start (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\funwebproductsinstaller.start.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\tbsb07286.ietoolbar (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{65dcd8fe-a6f4-47b5-a5bd-13952364defc} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{f55c26ae-bdb0-4cc3-ba4e-ba5a0806438e} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{f6bb6a9a-e77b-4d5b-82d0-15ffb881e963} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{59382727-9048-6123-1523-597264847187} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{59382727-9048-6123-1523-597264847187} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{59382727-9048-6123-1523-597264847187} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{c23d0d6a-8cba-4b33-9735-47d81f5b2b85} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c23d0d6a-8cba-4b33-9735-47d81f5b2b85} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{c23d0d6a-8cba-4b33-9735-47d81f5b2b85} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c23d0d6a-8cba-4b33-9735-47d81f5b2b85} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\tbsb07286.ietoolbar.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\tbsb07286.tbsb07286 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\tbsb07286.tbsb07286.3 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\toolbar3.tbsb07286 (Adware.Ecobar) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\toolbar3.tbsb07286.1 (Adware.Ecobar) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{1d4db7d1-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{1d4db7d3-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{1d4db7d0-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{4509d3cc-b642-4745-b030-645b79522c6d} (Adware.Ecobar) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{4897bba6-48d9-468c-8efa-846275d7701b} (Adware.Ecobar) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ca3eb689-8f09-4026-aa10-b9534c691ce0} (Adware.Ecobar) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\TBSB07286.TBSB07286Toolbar (Adware.Ecobar) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

 

Infekterade registervärden:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eventcreatexp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{59382727-9048-6123-1523-597264847187} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{59382727-9048-6123-1523-597264847187} (Trojan.BHO) -> Quarantined and deleted successfully.

 

Infekterade registerdataposter:

(Inga illasinnade poster hittades)

 

Infekterade mappar:

C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\FunWebProducts\Installr (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\FunWebProducts\Installr\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\ecobar (Adware.Ecobar) -> Delete on reboot.

C:\sysmon\pjtok85520 (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\sysmon\qkupl85530 (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\sysmon\toxto06642 (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\sysmon\btfa12886 (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\sysmon\cvgc13007 (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\sysmon\dwhd23007 (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Users\Bodil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

 

Infekterade filer:

C:\Users\Bodil\AppData\Roaming\Paladin Antivirus\phook.dll (Malware.Packer.Gen) -> Delete on reboot.

C:\Users\Bodil\AppData\Local\Temp\eventcreatexp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\ecobar\ecobar.dll (Trojan.BHO) -> Delete on reboot.

C:\$RECYCLE.BIN\S-1-5-21-3036040259-1814866363-3629223680-1000\$R09JNJM.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\$RECYCLE.BIN\S-1-5-21-3036040259-1814866363-3629223680-1000\$RJ7NY0A.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Users\Bodil\AppData\Local\Temp\f3setup.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Users\Bodil\AppData\Local\Temp\setup.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Users\Bodil\AppData\Local\Temp\SPAM.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Users\Bodil\AppData\Local\Temp\wf.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Program Files\ecobar\basis.xml (Adware.Ecobar) -> Quarantined and deleted successfully.

C:\Program Files\ecobar\ecobar.crc (Adware.Ecobar) -> Quarantined and deleted successfully.

C:\Program Files\ecobar\icons.bmp (Adware.Ecobar) -> Quarantined and deleted successfully.

C:\Program Files\ecobar\info.txt (Adware.Ecobar) -> Quarantined and deleted successfully.

C:\Program Files\ecobar\tbhelper.dll (Adware.Ecobar) -> Delete on reboot.

C:\Program Files\ecobar\uninstall.exe (Adware.Ecobar) -> Quarantined and deleted successfully.

C:\Program Files\ecobar\version.txt (Adware.Ecobar) -> Quarantined and deleted successfully.

C:\Program Files\ecobar\your_logo.png (Adware.Ecobar) -> Quarantined and deleted successfully.

C:\sysmon\dwhd23007\nfng7354.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\sysmon\dwhd23007\pxacw6528.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Users\Bodil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Paladin Antivirus\Paladin Antivirus Support.lnk (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

C:\Users\Bodil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Paladin Antivirus\Paladin Antivirus.lnk (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

C:\Users\Bodil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Paladin Antivirus\Uninstall Paladin Antivirus.lnk (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

C:\ProgramData\mswintmp.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\ProgramData\_VOIDkrl32mainweq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\ProgramData\_VOIDmainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Users\Bodil\Desktop\Paladin Antivirus.lnk (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

C:\Users\Bodil\Desktop\Paladin Antivirus Support.lnk (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

C:\Users\Bodil\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Paladin Antivirus.lnk (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

C:\Users\Public\Desktop\nudetube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.

C:\Users\Public\Desktop\pornotube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.

C:\Users\Public\Desktop\youporn.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.

 

 

Link to comment
Share on other sites

På några minuter så går det inte att rensa datorn. Är det din internetleverantör som stänger av dig? I så fall kontakta dem och säg att du nu håller på och rensar datorn med hjälp från ett forum på internet vilket gör att du måste ha en fungerande internetanslutning.

Link to comment
Share on other sites

Jag bor i studentlägenhet, och det är vår datanätgruppen som stänger av det. De har telefontid från 12, men det verkar som jag fick 30min till genom att trycka på samma "du har blivit avstängd, här får du 30min att fixa det på"-länk igen. Kanske fungerar så till dess att jag kan nå dem på telefon.

Link to comment
Share on other sites

Inte bara Paladin i den dator utan ett besvärligt rootkit också. Spara ComboFix på Skrivbordet:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Om du nu sitter vid en annan dator än den infekterade så går det att flytta ComboFix till den infekterade datorn med hjälp av USB-minne, CD etc och på samma sätt går det att flytta tillbaks den skapade loggfilen.

 

Stäng av alla program du ser inklusive antivirusprogram och antispionprogram men lämna brandväggen på.

Hur? Se http://www.bleepingcomputer.com/forums/topic114351.html

Kör ComboFix och följ anvisningarna som visas.

Om det kommer upp en fråga om du vill installera återställningskonsolen så svara ja.

 

VIKTIGT! Klicka inte på ComboFix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den i ditt svar. Kontrollera att antivirusprogram mm är igång innan du ansluter till internet.

 

Om du får problem med att komma ut på internet:

Kontrollpanelen - Nätverksanslutningar

högerklicka på din internetanslutning och välj Reparera och/eller starta om datorn.

 

Varning! ComboFix förhindrar automatisk körning av CD, disketter och USB-enheter för att göra det lättare att rensa datorn och skydda datorn mot infektioner i framtiden. Det kan bli problem t ex om datorn har internet via ett USB-modem eller USB-nätverkskort. Säg då till i stället för att köra ComboFix.

Link to comment
Share on other sites

Okej ! nu håller jag på att köra combofix, men jag måste bara fråga, är det normalt att det håller på 3timmar? det kommer fortfarande upp nya slutförda skeden. Det kommer även upp fönster från microsoft windows där det står att PEV.exe har slutat att fungera, dom står bara och laddar, ska jag låta dom göra det eller avbryta? tack så jätte mkt för hjälpen!

Link to comment
Share on other sites

Nej, det är inte normalt att det tar så lång tid. Avbryt ComboFix.

 

Spara RKill av Grinler på Skrivbordet. Ladda ner det från den första av dessa länkar:

http://download.bleepingcomputer.com/grinler/rkill.com

http://download.bleepingcomputer.com/grinler/rkill.pif

http://download.bleepingcomputer.com/grinler/rkill.scr

http://download.bleepingcomputer.com/grinler/rkill.exe

 

Starta Rkill (i Vista och Windows 7 genom att högerklicka på filen och välj Kör som administratör om det valet finns).

Det blir ett svart fönster/ruta en stund om programmet lyckades köra.

Om det inte blev något svart fönster/ruta så ta bort den RKill-varianten och upprepa med nästa RKill.

 

Om du får ett meddelande om att RKill är skadligt så bry dig inte om det. Det är det skadliga programmen som inte vill bli stoppat. Lämna kvar varningen på skärmen och kör RKill en gång till.

 

Kör RKill flera gånger efter varandra tills du inte ser till det skadliga programmet längre, dock max 10 gånger. Fortsätt med resten sedan. Om du redan från början inte ser till det skadliga programmet så räcker det med 3 gånger.

 

Om inte någon av program-varianterna kan köra så berätta det.

 

Därefter startar du ComboFix.

Link to comment
Share on other sites

OK, nu fungerade det nog som det ska.

Här kommer loggen:

 

ComboFix 10-02-28.03 - Bodil 2010-03-01 15:03:45.2.1 - x86

Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.46.1053.18.2814.1830 [GMT 1:00]

Körs från: c:\users\Bodil\Desktop\ComboFix.exe

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

.

 

((((((((((((((((((((((((((((((((((((((( Andra raderingar ))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\$recycle.bin\S-1-5-21-1773373934-1757097419-1532740055-500

c:\$recycle.bin\S-1-5-21-3036040259-1814866363-3629223680-500

c:\program files\f3setupinstall

c:\program files\f3setupinstall\f3initialsetup1.0.1.1.inf

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat

c:\programdata\Microsoft\Network\Downloader\qmgr1.dat

 

----- BITS: Troligen infekterade webbplatser -----

 

hxxp://armmf.adobe.com

.

(((((((((((((((((((((((( Filer Skapade från 2010-02-01 till 2010-03-01 ))))))))))))))))))))))))))))))

.

 

2010-03-01 14:15 . 2010-03-01 14:16 -------- d-----w- c:\users\Bodil\AppData\Local\temp

2010-03-01 14:15 . 2010-03-01 14:15 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-03-01 13:52 . 2010-02-12 16:41 558448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll

2010-02-26 16:36 . 2010-02-26 16:36 -------- d-----r- c:\users\Bodil\Antivirus stuff

2010-02-26 10:29 . 2010-02-26 10:14 3777280 ----a-w- c:\programdata\avg9\update\backup\setup.exe

2010-02-26 10:29 . 2010-02-26 10:14 1260800 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe

2010-02-26 10:14 . 2010-02-26 10:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-02-26 10:14 . 2010-02-26 10:14 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-02-26 10:14 . 2010-02-26 10:14 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-02-26 10:14 . 2010-03-01 08:44 -------- d-----w- c:\windows\system32\drivers\Avg

2010-02-26 10:14 . 2010-02-26 10:14 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-02-26 10:14 . 2010-02-26 10:17 -------- d-----w- c:\programdata\AVG Security Toolbar

2010-02-26 02:25 . 2010-02-26 02:25 52224 ----a-w- c:\users\Bodil\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-02-26 02:25 . 2010-02-26 02:25 117760 ----a-w- c:\users\Bodil\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-02-26 02:24 . 2010-02-26 02:24 -------- d-----w- c:\programdata\SUPERAntiSpyware.com

2010-02-26 02:23 . 2010-02-26 02:23 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-02-26 02:23 . 2010-02-26 02:23 -------- d-----w- c:\users\Bodil\AppData\Roaming\SUPERAntiSpyware.com

2010-02-26 02:21 . 2010-02-26 02:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-02-26 01:55 . 2010-02-26 01:55 -------- d-----w- c:\program files\Enigma Software Group

2010-02-25 23:13 . 2010-02-26 01:43 680 ----a-w- c:\users\Bodil\AppData\Local\d3d9caps.dat

2010-02-25 23:12 . 2010-02-25 23:12 -------- d-----w- c:\users\Bodil\AppData\Roaming\Malwarebytes

2010-02-25 23:12 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-25 23:12 . 2010-02-26 00:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-25 23:12 . 2010-02-25 23:12 -------- d-----w- c:\programdata\Malwarebytes

2010-02-25 23:12 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-25 23:11 . 2010-02-28 17:10 -------- d-----w- c:\users\Bodil\AppData\Roaming\Paladin Antivirus

2010-02-25 22:24 . 2010-02-26 00:37 3144 ----a-w- c:\programdata\fiosejgfse.dll

2010-02-25 22:18 . 2010-03-01 14:16 791552 ----a-w- c:\windows\system32\drivers\tmpxisl.sys

2010-02-25 22:14 . 2010-02-25 22:14 -------- d-----w- c:\programdata\FLEXnet

2010-02-25 22:06 . 2010-02-25 22:06 -------- d-----w- c:\program files\Adobe Media Player

2010-02-25 22:05 . 2010-02-25 22:05 -------- d-----w- c:\programdata\WindowsSearch

2010-02-25 21:58 . 2010-02-25 21:58 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2010-02-25 20:32 . 2010-02-25 20:32 -------- d-----w- c:\program files\Microsoft.NET

2010-02-25 20:29 . 2010-02-25 20:33 -------- d-----w- c:\windows\SHELLNEW

2010-02-25 20:26 . 2010-02-25 20:26 -------- d-----r- C:\MSOCache

2010-02-25 20:11 . 2010-02-25 20:56 -------- d-----w- c:\users\Bodil\AppData\Roaming\GetRightToGo

2010-02-25 18:02 . 2010-02-25 18:41 -------- d-----w- c:\users\Bodil\AppData\Roaming\DC++

2010-02-25 18:02 . 2010-02-25 18:06 -------- d-----w- c:\users\Bodil\AppData\Local\DC++

2010-02-25 17:37 . 2010-02-26 00:35 -------- d-----w- C:\sysmon

2010-02-24 13:29 . 2010-02-24 13:29 -------- d-----w- c:\users\Bodil\AppData\Roaming\Template

2010-02-24 12:04 . 2010-01-23 09:44 2048 ----a-w- c:\windows\system32\tzres.dll

2010-02-24 12:03 . 2010-01-25 08:35 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe

2010-02-24 12:03 . 2010-01-25 08:34 511488 ----a-w- c:\windows\system32\RMActivate.exe

2010-02-24 12:03 . 2010-01-25 08:34 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe

2010-02-24 12:03 . 2010-01-25 12:48 472576 ----a-w- c:\windows\system32\secproc_isv.dll

2010-02-24 12:03 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll

2010-02-24 12:03 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp.dll

2010-02-24 12:03 . 2010-01-25 12:48 472064 ----a-w- c:\windows\system32\secproc.dll

2010-02-24 12:03 . 2010-01-25 12:45 329216 ----a-w- c:\windows\system32\msdrm.dll

2010-02-24 12:03 . 2010-01-25 08:35 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe

2010-02-23 11:08 . 2010-02-23 16:21 -------- d-----w- c:\users\Bodil\AppData\Roaming\dvdcss

2010-02-23 09:51 . 2010-02-23 09:51 -------- d-----w- c:\users\Public\Recorded TV

2010-02-23 09:51 . 2010-02-23 15:16 -------- d-----w- c:\users\Bodil\AppData\Local\QuickPlay

2010-02-10 19:41 . 2009-12-11 12:07 301568 ----a-w- c:\windows\system32\drivers\srv.sys

2010-02-10 19:41 . 2009-12-11 12:07 98304 ----a-w- c:\windows\system32\drivers\srvnet.sys

2010-02-10 19:41 . 2009-12-08 20:52 897624 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-02-10 19:41 . 2009-12-08 20:36 3600472 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-10 19:41 . 2009-12-08 20:36 3548760 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-10 19:40 . 2009-12-28 12:35 11776 ----a-w- c:\windows\system32\tsbyuv.dll

2010-02-10 19:40 . 2009-12-28 12:35 1314816 ----a-w- c:\windows\system32\quartz.dll

2010-02-10 19:40 . 2009-12-28 12:32 22528 ----a-w- c:\windows\system32\msyuv.dll

2010-02-10 19:40 . 2009-12-28 12:32 31744 ----a-w- c:\windows\system32\msvidc32.dll

2010-02-10 19:40 . 2009-12-28 12:32 123904 ----a-w- c:\windows\system32\msvfw32.dll

2010-02-10 19:40 . 2009-12-28 12:32 13312 ----a-w- c:\windows\system32\msrle32.dll

2010-02-10 19:40 . 2009-12-28 12:31 82944 ----a-w- c:\windows\system32\mciavi32.dll

2010-02-10 19:40 . 2009-12-28 12:31 50176 ----a-w- c:\windows\system32\iyuv_32.dll

2010-02-10 19:40 . 2009-12-28 12:28 91136 ----a-w- c:\windows\system32\avifil32.dll

2010-02-10 19:40 . 2009-12-28 12:28 65024 ----a-w- c:\windows\system32\avicap32.dll

2010-02-10 19:40 . 2009-12-04 16:12 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2010-02-10 19:40 . 2009-12-04 16:12 105472 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-03 16:44 . 2010-02-03 16:43 37176 ----a-w- c:\users\Bodil\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-02-03 16:43 . 2010-02-03 16:43 -------- d-----w- c:\program files\Common Files\Adobe AIR

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-28 10:31 . 2009-12-05 23:14 -------- d-----w- c:\users\Bodil\AppData\Roaming\Spotify

2010-02-27 13:51 . 2009-12-10 19:58 -------- d-----w- c:\users\Bodil\AppData\Roaming\LimeWire

2010-02-27 02:14 . 2009-09-15 11:52 -------- d-----w- c:\programdata\Microsoft Help

2010-02-26 10:14 . 2009-12-10 19:23 -------- d-----w- c:\programdata\avg9

2010-02-26 09:50 . 2010-01-19 21:45 -------- d-----w- c:\users\Bodil\AppData\Roaming\uTorrent

2010-02-25 22:14 . 2009-09-15 12:01 107616 ----a-w- c:\users\Bodil\AppData\Local\GDIPFONTCACHEV1.DAT

2010-02-25 22:08 . 2009-09-15 11:51 -------- d-----w- c:\program files\Common Files\Adobe

2010-02-25 20:34 . 2009-09-15 11:54 -------- d-----w- c:\program files\Microsoft Works

2010-02-25 19:18 . 2009-09-15 19:43 -------- d-----w- c:\users\Bodil\AppData\Roaming\Skype

2010-02-25 17:42 . 2009-10-25 12:17 148 ----a-w- c:\programdata\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll

2010-02-25 17:11 . 2009-09-15 19:45 -------- d-----w- c:\users\Bodil\AppData\Roaming\skypePM

2010-02-24 13:29 . 2010-02-24 13:29 0 ----a-w- c:\users\Bodil\AppData\Roaming\wklnhst.dat

2010-02-24 08:16 . 2009-11-24 16:18 181632 ------w- c:\windows\system32\MpSigStub.exe

2010-02-23 16:56 . 2009-12-04 14:10 -------- d-----w- c:\users\Bodil\AppData\Roaming\vlc

2010-02-23 09:52 . 2008-11-08 05:46 -------- d-----w- c:\programdata\CyberLink

2010-02-23 09:51 . 2009-12-28 17:44 -------- d-----w- c:\users\Bodil\AppData\Roaming\CyberLink

2010-02-15 14:14 . 2008-11-08 05:24 597836 ----a-w- c:\windows\system32\perfh01D.dat

2010-02-15 14:14 . 2008-11-08 05:24 117416 ----a-w- c:\windows\system32\perfc01D.dat

2010-02-15 14:14 . 2008-11-08 05:17 76390 ----a-w- c:\windows\system32\perfc014.dat

2010-02-15 14:14 . 2008-11-08 05:17 443832 ----a-w- c:\windows\system32\perfh014.dat

2010-02-15 14:14 . 2008-11-08 05:11 85114 ----a-w- c:\windows\system32\perfc00B.dat

2010-02-15 14:14 . 2008-11-08 05:11 431812 ----a-w- c:\windows\system32\perfh00B.dat

2010-02-15 14:14 . 2008-11-08 05:05 81602 ----a-w- c:\windows\system32\perfc006.dat

2010-02-15 14:14 . 2008-11-08 05:05 459536 ----a-w- c:\windows\system32\perfh006.dat

2010-02-11 08:43 . 2009-09-27 14:17 27839 ----a-w- c:\programdata\nvModes.dat

2010-02-11 02:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail

2010-01-31 14:24 . 2010-01-31 14:24 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf

2010-01-30 13:20 . 2009-09-27 14:20 -------- d-----w- c:\program files\Google

2010-01-30 07:54 . 2010-01-30 07:55 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbBFDE.tmp.exe

2010-01-22 02:18 . 2009-09-15 19:18 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-19 21:46 . 2010-01-19 21:46 -------- d-----w- c:\program files\Ask.com

2010-01-06 21:17 . 2009-12-10 19:56 -------- d-----w- c:\program files\LimeWire

2010-01-06 20:11 . 2010-01-06 20:11 -------- d-----w- c:\program files\Telia

2010-01-02 06:38 . 2010-01-25 23:49 916480 ----a-w- c:\windows\system32\wininet.dll

2010-01-02 06:32 . 2010-01-25 23:49 71680 ----a-w- c:\windows\system32\iesetup.dll

2010-01-02 06:32 . 2010-01-25 23:49 109056 ----a-w- c:\windows\system32\iesysprep.dll

2010-01-02 04:57 . 2010-01-25 23:49 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2010-01-01 16:47 . 2010-01-01 16:47 -------- d-----w- c:\program files\Option

2009-12-05 09:17 . 2009-12-05 09:17 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbF185.tmp.exe

2008-11-08 05:56 . 2008-11-08 05:26 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT

.

 

(((((((((((((((((((((((((((((((((( Startpunkter i registret )))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Not* Tomma poster & legitima standardposter visas inte.

REGEDIT4

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

 

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-11-25 12:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2009-09-02 13:56 1175944 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

 

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

 

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

 

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883840]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-27 39408]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-11 13543968]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-11 92704]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]

"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]

"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]

"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]

"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-02 202032]

"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]

"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]

 

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Telenor Mobilt Bredband.lnk - c:\program files\Option\Telenor Mobilt Bredband\Telenor Mobilt Bredband.exe [2008-3-4 876544]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

 

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

 

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1008000.029\SymEFA.sys [2010-02-03 310320]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2010-02-26 333192]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2010-02-26 360584]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\NIS\1008000.029\BHDrvx86.sys [2010-02-03 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1008000.029\cchpx86.sys [2010-02-03 482432]

R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091111.001\IDSvix86.sys [2009-11-13 343088]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2010-02-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-02-26 285392]

R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [2008-01-21 21504]

R2 GtDetectSc;GtDetectSc;c:\program files\Option\Telenor Mobilt Bredband\GtDetectSc.exe [2007-12-18 196704]

R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe [2010-02-03 117640]

R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-11-08 365952]

R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-11-08 193840]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-09-16 102448]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [2008-05-09 43040]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]

S2 gupdate;Tjänsten Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 135664]

S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\System32\drivers\Gt51Ip.sys [2008-02-18 106624]

S3 GT72UBUS;GT 72 U BUS;c:\windows\System32\drivers\gt72ubus.sys [2008-02-08 59648]

 

--- Övriga tjänster/drivrutiner i minnet ---

 

*Deregistered* - tmpxisl

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ezSharedSvc

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2008-06-09 17:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Innehållet i mappen 'Schemalagda aktiviteter':

 

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 13:20]

 

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 13:20]

.

.

------- Extra genomsökning -------

.

uStart Page = www.facebook.com/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=sv_se&c=91&bd=Presario&pf=cnnb

uInternet Settings,ProxyOverride = *.local

IE: &AOL Verktygsfalt Sök - c:\programdata\AOL\ieToolbar\resources\sv-SE\local\search.html

IE: E&xportera till Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

TCP: {DA5FD7D2-6805-4A02-8F9F-CD462A842A25} = 193.11.230.41,83.140.87.2

.

- - - - FÖRÄLDRALÖSA POSTER SOM TAGITS BORT - - - -

 

HKLM-Run-RegistryQuick.exe - c:\program files\RegistryQuick\RegistryQuick.exe

SafeBoot-klmdb.sys

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-01 15:16

Windows 6.0.6001 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tmpxisl]

 

.

--------------------- LÅSTA REGISTERNYCKLAR ---------------------

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Sluttid: 2010-03-01 15:21:54

ComboFix-quarantined-files.txt 2010-03-01 14:21

 

Före genomsökningen: 140 637 696 000 byte ledigt

Efter genomsökningen: 141 616 357 376 byte ledigt

 

- - End Of File - - 6DA42A8868E400F9183E9DC00062F67E

 

 

 

Link to comment
Share on other sites

HookProcess

Rapporterar Malwarebytes fortfarande på tmpxisl.sys?

 

C:\Windows\System32\drivers\tmpxisl.sys (Rootkit.Agent) -> Delete on reboot.
Link to comment
Share on other sites

Rapporterar Malwarebytes fortfarande på tmpxisl.sys?

Det borde den göra eftersom filen fortfarande finns kvar.

 

Ta det lugnt till jag har hunnit gå igenom ComboFix-loggen.

Link to comment
Share on other sites

Börja med att få bort Norton. Avinstallera först allt Norton och Symantec i Kontrollpanelen - Program och funktioner samt starta om datorn. Därefter sparar du Symantecs städprogram på Skrivbordet och kör det programmet därifrån.

http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20090910004050EN Step 2 punkt 1 - 4

 

Kör RKill några gånger efter varje omstart av datorn.

Link to comment
Share on other sites

På sidan http://www.virustotal.com trycker du på Bläddra-knappen och klistrar in följande filnamn i rutan, tryck på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen (inte Övrig information) eller en länk till resultatet här.

C:\Windows\System32\drivers\tmpxisl.sys

 

Spara Gmer på Skrivbordet från:

http://www2.gmer.net/download.php

Packa upp filen till Skrivbordet.

Dra ur internetanslutningen.

Stäng alla program, även antivirusprogram och brandvägg.

Starta programmet gmer.exe.

Om det kommer upp en fråga om "scan" så välj Nej/No. Spara loggen och klistra in i ditt svar. Gör inte mer.

 

Om frågan inte kommer så välj fliken Rootkit/Malware, kontrollera att allt är förbockat till höger utom Show All och andra partitioner än C:. Tryck på Scan. Låt datorn stå ifred medan Gmer håller på.

Tryck på Save och spara resultatet på Skrivbordet.

Sätt igång antivirusprogram och brandvägg innan du ansluter till internet.

Klistra in resultatet i ditt svar.

Link to comment
Share on other sites

Norton är nu avinstallerat. Jag kan dock inte göra nästa steg, för så fort jag trycker download på symantec sidan så står det webbsidan kan inte visas. Är det min dators fel, går det att hoppa över eller vad ska jag hitta på nu?

 

 

Link to comment
Share on other sites

HookProcess

Jag hade laddat hem Avenger2 här och klistrat in följande rader i programmet:

Drivers to disable:
tmpxisl

Drivers to delete:
tmpxisl

Files to delete:
C:\Windows\System32\drivers\tmpxisl.sys

Sedan Execute ;)

Link to comment
Share on other sites

Tack för hjälpen, men tills vidare avvaktar jag och ser hur Cecilia fföreslår hur jag kan göra, jag har trots allt följt de orderna hela dagen :)

Link to comment
Share on other sites

HookProcess

Tack för hjälpen, men tills vidare avvaktar jag och ser hur Cecilia fföreslår hur jag kan göra, jag har trots allt följt de orderna hela dagen :)

 

Låter vist ;)

Här har du förresten direktlänken till Symantecs program som du försökte nå via "Download"-knappen:

ftp://ftp.symantec.c...emoval_Tool.exe

Fungerade för 20 sekunder sedan iaf :)

Link to comment
Share on other sites

På sidan http://www.virustotal.com trycker du på Bläddra-knappen och klistrar in följande filnamn i rutan, tryck på Skicka Fil och vänta tills resultatet är klart (Närvarande status blir genomförd). Klistra in resultatet från de olika antivirusprogrammen (inte Övrig information) eller en länk till resultatet här.

C:\Windows\System32\drivers\tmpxisl.sys

 

Spara Gmer på Skrivbordet från:

http://www2.gmer.net/download.php

Packa upp filen till Skrivbordet.

Dra ur internetanslutningen.

Stäng alla program, även antivirusprogram och brandvägg.

Starta programmet gmer.exe.

Om det kommer upp en fråga om "scan" så välj Nej/No. Spara loggen och klistra in i ditt svar. Gör inte mer.

 

Om frågan inte kommer så välj fliken Rootkit/Malware, kontrollera att allt är förbockat till höger utom Show All och andra partitioner än C:. Tryck på Scan. Låt datorn stå ifred medan Gmer håller på.

Tryck på Save och spara resultatet på Skrivbordet.

Sätt igång antivirusprogram och brandvägg innan du ansluter till internet.

Klistra in resultatet i ditt svar.

 

Oj jag missade helt detta inlägg. När jag skriver in det filnamnet i bläddra-rutan kommer det upp ett varningsfönster där det står att en enhet som är ansluten till datorn fungerar inte, så jag kan inte skicka filen...

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...